[Federal Register Volume 75, Number 193 (Wednesday, October 6, 2010)]
[Notices]
[Pages 61793-61795]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2010-25067]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
[Release No. 34-63016; File No. SR-FINRA-2010-021]
Self-Regulatory Organizations; Financial Industry Regulatory
Authority, Inc.; Order Approving Proposed Rule Change to Amend FINRA
Rule 8210 to Require Information Provided via Portable Media Device be
Encrypted
September 29, 2010.
I. Introduction
On June 2, 2010, the Financial Industry Regulatory Authority, Inc.
(``FINRA'') filed with the Securities and Exchange Commission (the
``Commission'' or ``SEC''), pursuant to Section 19(b)(1) of the
Securities Exchange Act of 1934 (the ``Exchange Act'' or ``Act'') \1\
and Rule 19b-4 thereunder,\2\ a proposed rule change to amend FINRA
Rule 8210 to require that information provided via portable media
device to FINRA in response to a request under the rule be encrypted.
The proposed rule change was published for comment in the Federal
Register on June 25, 2010.\3\
---------------------------------------------------------------------------
\1\ 15 U.S.C. 78s(b)(1).
\2\ 17 CFR 240.19b-4.
\3\ See Securities Exchange Act Release No. 62318 (June 17,
2010), 75 FR 36461 (``Notice'').
---------------------------------------------------------------------------
The Commission received eleven comment letters on the proposal.\4\
FINRA responded to these comment letters in a letter dated September
14, 2010.\5\ This order approves the proposed rule change.
---------------------------------------------------------------------------
\4\ See letter from David M. Sobel, Esq., EVP/CCO, Abel/Noser
Corp., to Elizabeth M. Murphy, Secretary, Commission, dated July 6,
2010 (``Abel/Noser Letter''); letter from Larry Taunt, Chief
Executive Officer, Regal Financial Group, to Elizabeth M. Murphy,
Secretary, Commission, dated July 7, 2010 (``Regal Letter''); letter
from Lisa Roth, NAIBD Member Advocacy Committee Chair, CEO/CCO,
National Association of Independent Broker-Dealers, Inc., to
Elizabeth M. Murphy, Secretary, Commission, dated July 9, 2010
(``NAIBD Letter''); letter from Chris Charles, President, Wulff,
Hansen, & Co., to Elizabeth M. Murphy, Secretary, Commission, dated
July 13, 2010 (``Wulff Hansen Letter''); letter from Tamara K.
Salmon, Senior Associate Counsel, Investment Company Institute, to
Elizabeth M. Murphy, Secretary, Commission, dated July 14, 2010
(``ICI Letter''); letter from Byron ``Pat'' Treat, President/CEO,
Great Nation Investment Corporation, to Elizabeth M. Murphy,
Secretary, Commission, dated July 15, 2010 (``Great Nation
Letter''); letter from Eric Segall, Sr. V.P., Manager, Business
Conduct, and Edward W. Wedbush, President, Wedbush Securities, Inc.,
to Elizabeth M. Murphy, Secretary, Commission, dated July 15, 2010
(``Wedbush Letter''); letter from Raymond C. Holland, Vice-Chairman,
Triad Securites Corp., to Elizabeth M. Murphy, Secretary,
Commission, dated July 15, 2010 (``Triad Letter I''); letter from
Sis DeMarco, Director of Compliance, Triad Securities Corp., to
Elizabeth M. Murphy, Secretary, Commission, dated July 15, 2010
(``Triad Letter II''); letter from S. Kendrick Dunn, Assistant Vice
President, Pacific Select Distributors, Inc. to Elizabeth M. Murphy,
Secretary, Commission, dated July 16, 2010 (``PSD Letter''); and
letter from Howard Spindel, Senior Managing Director, Integrated
Management Solutions, to Elizabeth M. Murphy, Secretary, Commission,
dated July 16, 2010 (``IMS Letter'').
\5\ See letter from Stan Macel, Assistant General Counsel,
FINRA, to Elizabeth M. Murphy, Secretary, Commission, dated
September 14, 2010 (``FINRA Letter'').
---------------------------------------------------------------------------
II. Background and Description of Proposal
FINRA Rule 8210 (Provision of Information and Testimony and
Inspection and Copying of Books) confers on FINRA staff the authority
to compel a member, person associated with a member, or other person
over whom FINRA has jurisdiction, to produce documents, provide
testimony, or supply written responses or electronic data in connection
with an investigation, complaint, examination or adjudicatory
proceeding. The rule applies to all members, associated persons, and
other persons over whom FINRA has jurisdiction, including former
associated persons subject to FINRA's jurisdiction as described in the
FINRA By-Laws.\6\ FINRA Rule 8210(c) provides that a member's or
person's failure to provide information or testimony or to permit an
inspection
[[Page 61794]]
and copying of books, records, or accounts is a violation of the rule.
---------------------------------------------------------------------------
\6\ See FINRA By-Laws, Article V, Section 4(a) (Retention of
Jurisdiction).
---------------------------------------------------------------------------
FINRA is proposing to amend FINRA Rule 8210 to require that
information provided via a portable media device pursuant to a request
under the rule be encrypted, as discussed further below. Requiring such
information to be encrypted will help ensure that such information,
which in many instances includes individuals' personal information, is
protected from unauthorized or improper use.\7\
---------------------------------------------------------------------------
\7\ FINRA has emphasized that its members have an obligation
under existing laws to protect confidential customer records and
information pursuant to the requirements of SEC Regulation S-P. See,
e.g., Notice to Members 05-49 (Safeguarding Confidential Customer
Information).
---------------------------------------------------------------------------
According to FINRA, frequently, members and persons who respond to
requests pursuant to FINRA Rule 8210 provide information in electronic
format. Because of the size of the electronic files, persons often
provide information in electronic format using a portable media device
such as a CD-ROM, DVD or portable hard drive.\8\ In many instances, the
response contains personal information that, if accessed by an
unauthorized person, could be used inappropriately. For example, a
response may include a person's first and last name, or first initial
and last name, in combination with that person's: (1) Social security
number; (2) driver's license, passport or government-issued
identification number; or (3) financial account number (including but
not limited to the number of a brokerage account, debit card, credit
card, checking account, or savings account). If such personal
information were to be intercepted by an unauthorized third party, it
could be used improperly.
---------------------------------------------------------------------------
\8\ The proposed rule change defines ``portable media device''
as a storage device for electronic information, including but not
limited to a flash drive, CD-ROM, DVD, portable hard drive, laptop
computer, disc, diskette, or any other portable device for storing
and transporting electronic information.
---------------------------------------------------------------------------
Additionally, according to FINRA, data security issues regarding
personal information have become increasingly important in recent
years.\9\ In this regard, FINRA believes that requiring persons to
encrypt information on portable media devices provided to FINRA in
response to FINRA Rule 8210 requests will help ensure that personal
information is protected from improper use by unauthorized third
parties.
---------------------------------------------------------------------------
\9\ In its Notice, FINRA represents, for example, that some
jurisdictions, including Massachusetts and Nevada, have recently
enacted legislation that establishes minimum standards to safeguard
personal information in electronic records. See, e.g., Commonwealth
of Massachusetts, 201 CMR 17.00 (Standards for the Protection of
Personal Information of Residents of the Commonwealth), effective
March 1, 2010; State of Nevada, NRS 603A.215 (Security Measures for
Data Collector that Accepts Payment Card; Use of Encryption;
Liability for Damages; Applicability), effective January 1, 2010. As
stated in the Notice, these laws contain penalties that can be
imposed on persons and entities for failures to adequately safeguard
electronic records containing personal information.
---------------------------------------------------------------------------
The proposed rule change would require that information provided
via a portable media device be ``encrypted,'' i.e., the data must be
encoded into a form in which meaning cannot be assigned without the use
of a confidential process or key. To help ensure that encrypted
information is secure, persons providing encrypted information to FINRA
via a portable media device would be required: (1) To use an encryption
method that meets industry standards for strong encryption; and (2) to
provide FINRA staff with the confidential process or key regarding the
encryption in a communication separate from the encrypted information
itself (e.g., a separate e-mail, fax or letter).
III. Discussion of Comment Letters and Commission Findings
The Commission received eleven comment letters on the proposed rule
change and FINRA responded to these comments.\10\ One commenter
supported the proposal, but recommended that FINRA's rules be amended
to add information security rules for itself and notify registrants
when their non-public information has been accessed.\11\ Two commenters
questioned the need for the encryption requirement and suggested that
FINRA, and not its members, should undertake the responsibility of
establishing data protection \12\ and controls.\13\ Another commenter
believed that the proposed rule change did not address FINRA's
responsibility to maintain the confidentiality of the information it
obtains and proposed that members be allowed to redact sensitive
information.\14\ FINRA responded that these comments do not address the
purpose of the proposal which is to safeguard information being
delivered to FINRA via portable media device and noted that it has a
``robust and current information security policy.'' \15\
---------------------------------------------------------------------------
\10\ See supra notes 4 and 5.
\11\ See ICI Letter.
\12\ See NAIBD Letter (endorsed by Triad I Letter and Triad II
Letter), and PSD Letter.
\13\ See NAIBD Letter.
\14\ See Wedbush Letter.
\15\ See FINRA Letter.
---------------------------------------------------------------------------
Five commenters indicated that the application of the proposed rule
to electronic media and not paper documents is too narrow or
misplaced.\16\ One commenter noted that the proposed rule change did
not cover ``hard data transfers'' and was ``inconsistent,'' therefore
``adding an unnecessary layer of cost and inconvenience to the normal
process of business.'' \17\ Another commenter believed that the
proposed rule was ``form over function'' and suggested that overnight
delivery of the electronic files could accomplish the goals of the
proposal.\18\ One commenter noted that FINRA wishes to remove the
discretion of members to encrypt data and yet the proposal does not
cover hard-copy, email and voluntary transmissions of information.\19\
This commenter stated that the proposed rule change ``was a poor
solution'' and suggested that FINRA allow members discretion to
determine encryption methods and apply them to all transmissions to
FINRA.\20\ FINRA responded to these comments by stating that it
believes that encryption is a useful method to protect electronic data
and notes that it is not technically possible to encrypt information in
paper form.\21\ FINRA suggested that it might accept only electronic
submissions of information in the future, but currently must accept the
limitations of paper delivery.\22\ FINRA also stated that it will
explore encryption of other communication methods such as email.\23\
FINRA states that ``the argument that the difficulty of the perfect
encryption of all information irrespective of media is a reason not to
protect that information which can be encrypted could be used to negate
all iterative protections to investors and should not be credited as a
matter of public policy.'' \24\
---------------------------------------------------------------------------
\16\ See Abel/Noser Letter, IMS Letter, NAIBD Letter, PSD
Letter, and Regal Letter, and Abel/Noser Letter.
\17\ See Regal Letter.
\18\ See Abel/Noser Letter.
\19\ See IMS Letter.
\20\ Id.
\21\ See FINRA Letter.
\22\ Id.
\23\ Id.
\24\ Id.
---------------------------------------------------------------------------
Three commenters indicated that requiring encryption of all
information sent via portable media devices is overbroad and suggested
lesser content encryption.\25\ FINRA responded that it ``believes it is
simpler, more efficient and safer to require encryption of all
information provided via portable media device pursuant to a request
under the rule.'' \26\ FINRA stated that the requirement ``obviates the
need for FINRA to circumscribe and monitor,
[[Page 61795]]
and for members to determine, the types of information that should or
should not be encrypted under the rule.'' \27\ FINRA believes that the
suggested alternatives would be more costly than the proposal and
believes the proposal ``further supports compliance with the laws in
some jurisdictions.'' \28\
---------------------------------------------------------------------------
\25\ See Great Nation Letter, IMS Letter, and PSD Letter.
\26\ See FINRA Letter.
\27\ Id.
\28\ Id.
---------------------------------------------------------------------------
Seven commenters believed that the proposal was difficult or costly
to implement.\29\ For example, some commenters believe that small firms
lack the technical experience to implement the proposal and may have to
hire third parties.\30\ One commenter suggested an exception when
information is provided directly to FINRA staff or on the FINRA
premises.\31\ FINRA questioned the burden on members ``given the
availability of web-based encryption solutions currently available at
low- or no-cost.'' \32\ FINRA noted that ``members may be subject to
various data protection laws that are in part the impetus'' of the
proposal.\33\ FINRA stated that it would ``help educate its members
about the process of encryption'' and would ``endeavor to provide
information regarding various options for encrypting data, including
low- or no-cost web-based encryption software.'' \34\
---------------------------------------------------------------------------
\29\ See Abel/Noser Letter, Great Nation Letter, NAIBD Letter,
PSE Letter, Triad Letter I, Triad Letter II, and Wulff Hansen
Letter.
\30\ See, e.g., Great Nation Letter, NAIBD Letter, and PSE
Letter.
\31\ See Wulff Hansen Letter.
\32\ See FINRA Letter.
\33\ Id.
\34\ Id.
---------------------------------------------------------------------------
Three commenters suggested that the proposed requirement to use an
encryption method that ``meets industry standards for strong
encryption'' is too vague and suggested alternatives such as providing
members with the specific method of encryption.\35\ FINRA acknowledged
that, as proposed, the rule does not mandate a specific method of
encryption.\36\ However, FINRA believes that this standard, which it
stated is ``identical to that employed by Massachusettes and Nevada,''
is necessary to ``adapt to changing technology regarding encryption.''
\37\ FINRA stated that it does not believe that it is ``appropriate at
this time to dictate a `one size fits all' approach'' to
encryption.\38\ As designed, this requirement will allow each member to
choose an appropriate method of encryption that works for it.\39\
---------------------------------------------------------------------------
\35\ See NAIBD Letter, PSE Letter, and Great Nation Letter.
\36\ See FINRA Letter.
\37\ Id.
\38\ Id.
\39\ Id.
---------------------------------------------------------------------------
The Commission finds that the proposed rule change is consistent
with the requirements of the Act and the rules and regulations
thereunder applicable to a national securities association.\40\ In
particular, the Commission finds that the proposed rule change is
consistent with the provisions of Section 15A(b)(6) of the Act,\41\
which requires, among other things, that FINRA rules be designed to
prevent fraudulent and manipulative acts and practices, to promote just
and equitable principles of trade, and, in general, to protect
investors and the public interest.
---------------------------------------------------------------------------
\40\ In approving this proposal, the Commission has considered
the proposed rule's impact on efficiency, competition and capital
formation. See 15 U.S.C. 78c(f).
\41\ 15 U.S.C. 78o-3(b)(6).
---------------------------------------------------------------------------
The Commission believes that the proposed rule change is reasonably
designed to ensure that information provided to FINRA on a portable
media device in response to Rule 8210 is secure. FINRA has represented
that this requirement is necessary to address laws in some
jurisdictions that establish safeguards for personal information and
records. The Commission also notes FINRA's representation that there
are low- or no-cost ways to encrypt files and that it will help educate
its members about the process of encryption and meeting their
obligations under the rule. Although the Commission recognizes that the
proposed rule change does not mandate a specific encryption method, the
Commission believes that some flexibility is appropriate to allow for
changes in technology and for members to choose encryption methods that
meet their needs. Finally, the Commission believes that the fact that
information produced to it in other forms, such as paper-based forms,
for which there is no comparable means of protecting the information
from unwanted disclosure, should not preclude the protection of
information that can be protected.
IV. Conclusion
It is therefore ordered, pursuant to Section 19b(2) of the Act,\42\
that the proposed rule change (SR-FINRA-2010-021) be, and hereby is,
approved.
---------------------------------------------------------------------------
\42\ 15 U.S.C. 78s(b)(2).
For the Commission, by the Division of Trading and Markets,
pursuant to delegated authority.\43\
---------------------------------------------------------------------------
\43\ 17 CFR 200.30-3(a)(12).
---------------------------------------------------------------------------
Florence E. Harmon,
Deputy Secretary.
[FR Doc. 2010-25067 Filed 10-5-10; 8:45 am]
BILLING CODE 8011-01-P